package de.adorsys.ledgers.middleware.rest.security;

import de.adorsys.ledgers.keycloak.client.mapper.KeycloakAuthMapper;
import de.adorsys.ledgers.middleware.api.domain.account.AccountDetailsTO;
import de.adorsys.ledgers.middleware.api.domain.account.AccountIdentifierTypeTO;
import de.adorsys.ledgers.middleware.api.domain.account.AccountReferenceTO;
import de.adorsys.ledgers.middleware.api.domain.sca.OpTypeTO;
import de.adorsys.ledgers.middleware.api.domain.sca.StartScaOprTO;
import de.adorsys.ledgers.middleware.api.domain.um.AccessTokenTO;
import de.adorsys.ledgers.middleware.api.domain.um.UserRoleTO;
import de.adorsys.ledgers.middleware.api.domain.um.UserTO;
import de.adorsys.ledgers.middleware.api.service.MiddlewareAccountManagementService;
import de.adorsys.ledgers.middleware.api.service.MiddlewarePaymentService;
import de.adorsys.ledgers.middleware.api.service.MiddlewareRedirectScaService;
import de.adorsys.ledgers.middleware.api.service.MiddlewareUserManagementService;
import java.time.LocalDateTime;
import java.util.Arrays;
import java.util.Collection;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.collections4.CollectionUtils;
import org.keycloak.adapters.RefreshableKeycloakSecurityContext;
import org.springframework.security.core.Authentication;

/* loaded from: input_file:de/adorsys/ledgers/middleware/rest/security/AccountAccessMethodSecurityExpressionRoot.class */
public class AccountAccessMethodSecurityExpressionRoot extends SecurityExpressionAdapter {
    public AccountAccessMethodSecurityExpressionRoot(Authentication authentication, MiddlewareAccountManagementService middlewareAccountManagementService, MiddlewarePaymentService middlewarePaymentService, KeycloakAuthMapper keycloakAuthMapper, MiddlewareUserManagementService middlewareUserManagementService, MiddlewareRedirectScaService middlewareRedirectScaService) {
        super(authentication, middlewareAccountManagementService, middlewarePaymentService, middlewareUserManagementService, keycloakAuthMapper, middlewareRedirectScaService);
    }

    public boolean isNewStaffUser(UserTO userTO) {
        return (CollectionUtils.isNotEmpty(userTO.getUserRoles()) && userTO.getUserRoles().contains(UserRoleTO.SYSTEM)) || this.userManagementService.countUsersByBranch(userTO.getId()) == 0;
    }

    public boolean hasManagerAccessToAccountIban(String str) {
        UserTO user = user();
        return hasAnyRole(new String[]{UserRoleTO.SYSTEM.name(), UserRoleTO.STAFF.name()}) && user.isEnabled() && hasManagerAccessIban(str, user);
    }

    public boolean hasManagerAccessToAccountId(String str) {
        UserTO user = user();
        return hasAnyRole(new String[]{UserRoleTO.SYSTEM.name(), UserRoleTO.STAFF.name()}) && user.isEnabled() && hasManagerAccessId(str, user);
    }

    public boolean isNewAccountAndCanBeCreatedForUser(AccountDetailsTO accountDetailsTO, String str) {
        List accountsByIbanAndCurrency = this.accountService.getAccountsByIbanAndCurrency(accountDetailsTO.getIban(), "");
        return CollectionUtils.isEmpty(accountsByIbanAndCurrency) || (accountsByIbanAndCurrency.stream().map((v0) -> {
            return v0.getCurrency();
        }).noneMatch(currency -> {
            return accountDetailsTO.getCurrency() == currency;
        }) && this.userManagementService.findById(str).hasAccessToAccountWithIban(accountDetailsTO.getIban()));
    }

    public boolean hasManagerAccessToUser(String str) {
        UserTO user = user();
        return hasAnyRole(new String[]{UserRoleTO.SYSTEM.name(), UserRoleTO.STAFF.name()}) && user.isEnabled() && hasAccessToUser(user, str);
    }

    public boolean isSameUser(String str) {
        return user().getId().equals(str);
    }

    public boolean hasAccessToAccountByPaymentId(String str) {
        return hasAccessToAccount(getAccountIdFromPayment(str));
    }

    public boolean hasAccessToAccountsWithIbans(Collection<String> collection) {
        UserTO user = user();
        return user.getUserRoles().contains(UserRoleTO.SYSTEM) || (user.getUserRoles().contains(UserRoleTO.STAFF) && user.hasAccessToAccountsWithIbans(collection)) || (user.hasAccessToAccountsWithIbans(collection) && collection.stream().allMatch(this::isEnabledAccountIban));
    }

    public boolean hasAccessToAccount(String str) {
        UserTO user = user();
        return user.getUserRoles().contains(UserRoleTO.SYSTEM) || (user.getUserRoles().contains(UserRoleTO.STAFF) && user.hasAccessToAccountWithId(str)) || (user.hasAccessToAccountWithId(str) && isEnabledAccount(str));
    }

    public boolean hasAccessToAccountWithIban(String str) {
        UserTO user = user();
        return user.getUserRoles().contains(UserRoleTO.SYSTEM) || (user.getUserRoles().contains(UserRoleTO.STAFF) && user.hasAccessToAccountWithIban(str)) || (user.hasAccessToAccountWithIban(str) && isEnabledAccountIban(str));
    }

    public boolean accountInfoByIdentifier(AccountIdentifierTypeTO accountIdentifierTypeTO, String str) {
        return accountIdentifierTypeTO == AccountIdentifierTypeTO.IBAN ? hasAccessToAccountWithIban(str) : hasAccessToAccount(str);
    }

    public boolean isEnabledAccount(String str) {
        return this.accountService.getDepositAccountById(str, LocalDateTime.now(), false).isEnabled();
    }

    public boolean hasAccessToAccountByLogin(String str, String str2) {
        return this.userManagementService.findByUserLogin(str).hasAccessToAccountWithIban(str2);
    }

    public boolean hasAccessToAccountsByLogin(String str, List<AccountReferenceTO> list) {
        return this.userManagementService.findByUserLogin(str).hasAccessToAccountsWithIbans((Set) list.stream().map((v0) -> {
            return v0.getIban();
        }).collect(Collectors.toSet()));
    }

    public boolean isEnabledUser(String str) {
        return this.userManagementService.findById(str).isEnabled();
    }

    public boolean hasScaScope() {
        return hasAnyScope("sca", "partial_access", "full_access");
    }

    public boolean hasPartialScope() {
        return hasAnyScope("partial_access", "full_access");
    }

    public boolean hasAccessToAccountByScaOperation(StartScaOprTO startScaOprTO) {
        return EnumSet.of(OpTypeTO.PAYMENT, OpTypeTO.CANCEL_PAYMENT).contains(startScaOprTO.getOpType()) ? hasAccessToAccountByPaymentId(startScaOprTO.getOprId()) : hasAccessToAccountsWithIbans(this.accountService.getAccountsFromConsent(startScaOprTO.getOprId()));
    }

    public boolean hasAccessToAccountByAuthorizationId(String str) {
        return hasAccessToAccountByScaOperation(this.scaService.loadScaInformation(str));
    }

    private AccessTokenTO getAccessTokenTO() {
        return this.authMapper.toAccessToken((RefreshableKeycloakSecurityContext) this.authentication.getCredentials());
    }

    private UserTO user() {
        return this.userManagementService.findByUserLogin(getAccessTokenTO().getLogin());
    }

    private boolean hasAnyScope(String... strArr) {
        Set<String> scopes = getScopes();
        Stream stream = Arrays.stream(strArr);
        Objects.requireNonNull(scopes);
        return stream.anyMatch((v1) -> {
            return r1.contains(v1);
        });
    }

    private Set<String> getScopes() {
        return new HashSet(Arrays.asList(((RefreshableKeycloakSecurityContext) this.authentication.getCredentials()).getToken().getScope().split(" ")));
    }

    private boolean isEnabledAccountIban(String str) {
        return this.accountService.getAccountsByIbanAndCurrency(str, "").stream().allMatch((v0) -> {
            return v0.isEnabled();
        });
    }

    private String getAccountIdFromPayment(String str) {
        return this.paymentService.getPaymentById(str).getAccountId();
    }

    private boolean hasAccessToUser(UserTO userTO, String str) {
        return !userTO.getUserRoles().contains(UserRoleTO.STAFF) || this.userManagementService.findById(str).getBranch().equals(userTO.getId());
    }

    private boolean hasManagerAccessIban(String str, UserTO userTO) {
        return userTO.getUserRoles().contains(UserRoleTO.SYSTEM) || userTO.hasAccessToAccountWithIban(str);
    }

    private boolean hasManagerAccessId(String str, UserTO userTO) {
        return userTO.getUserRoles().contains(UserRoleTO.SYSTEM) || userTO.hasAccessToAccountWithId(str);
    }
}
